Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
Resource
win7-20240221-en
General
-
Target
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
-
Size
381KB
-
MD5
891820fd2e1bbe5f5f74cd2b77a1f6b9
-
SHA1
682a00cb848ded94d88e218f222803214a040774
-
SHA256
0d2e62e016f98d3213e3ac755d335795035b76f6ad9d6b5370df9ca0cced055c
-
SHA512
545fe42e8191657d7e45db77f58c1e83d9c8839ce07da1c1dcecb8d08056a4ca61ed2ab70e5498e15fb30e95df6b73703bd181a3d0f25040e1004f46a0c8a03c
-
SSDEEP
6144:wRHGKZMkhBE45nstM7gSD3OqpNsvSUvyvdLkld9Bgxoa4zrfVqAhRLh42ZdzMovS:a2SBHnsWMS3Ns5vyVcdmo9TjpKsQ7Y4
Malware Config
Extracted
nanocore
1.2.2.0
kamuchehddhgfgf.ddns.net:1187
37.0.10.22:1187
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
activate_away_mode
true
-
backup_connection_host
37.0.10.22
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-17T00:05:39.048278936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamuchehddhgfgf.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansvc.exe" Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process target process PID 1108 set thread context of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Drops file in Program Files directory 2 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process File opened for modification C:\Program Files (x86)\WAN Service\wansvc.exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe File created C:\Program Files (x86)\WAN Service\wansvc.exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exepid process 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exepid process 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process Token: SeDebugPrivilege 3456 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process target process PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 1108 wrote to memory of 3456 1108 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
memory/1108-9-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/1108-2-0x0000000001610000-0x0000000001620000-memory.dmpFilesize
64KB
-
memory/1108-3-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/1108-1-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/1108-0-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/3456-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3456-7-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/3456-8-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB
-
memory/3456-10-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/3456-12-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB
-
memory/3456-14-0x0000000075240000-0x00000000757F1000-memory.dmpFilesize
5.7MB
-
memory/3456-15-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB
-
memory/3456-16-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB